I have a requirement to route events to separate indexes based on two conditions.
1) must contain the string
2) Get the value contained in the
The index it needs to be routed to will be the value of businessdomainid + -sec
(ex. businessdomainid1-sec)
How do I write my regex and format statement to have this work?
Here's my transforms.conf so far
[Security]
SOURCE_KEY = _raw
DEST_KEY = _MetaData:Index
REGEX=(?m)\<BusinessDomainId\>(BusinessDomainId1|BusinessDomainId2|BusinessDomainId3)\</BusinessDomainId\>|<LogEventTypeCode>PI_EVENT</LogEventTypeCode>
FORMAT=$1
Sample event
<ELLogInputMessage>
<Header>
<LogEventTypeCode>PI_EVENT</LogEventTypeCode>
<LogSeverityCode>CRITICAL</LogSeverityCode>
<LogEventDateTime>2014-05-06T23:59:59.9999999-05:00</LogEventDateTime>
</Header>
<SourceInformation>
<EAPMId>1</EAPMId>
<HostMachineName>HostMachineName3</HostMachineName>
<HostEnvironmentName>HostEnvironmentName3</HostEnvironmentName>
<ComponentId>ComponentId3</ComponentId>
<ComponentName>ComponentName3</ComponentName>
<ApplicationEventCorrelationId>ApplicationEventCorrelationId3</ApplicationEventCorrelationId>
<UserId>UserId1</UserId>
<UserSrc>UserSrc1</UserSrc>
<BusinessDomainId>BusinessDomainId1</BusinessDomainId>
<BusinessDomainName>BusinessDomainName1</BusinessDomainName>
</SourceInformation>
<DataAccessInformation>
<DataCompId>DataCompId2</DataCompId>
<TypeOfAccess>VIEW</TypeOfAccess>
<SubjectOfInterest>
<SubjectId>SubjectId13</SubjectId>
<SubjectName>SubjectName13</SubjectName>
<SubjectDomainName>SubjectDomainName3</SubjectDomainName>
</SubjectOfInterest>
<AccessDateTime>2014-05-06T23:59:59.9999999-05:00</AccessDateTime>
</DataAccessInformation>
<DetailedLogInformation>anyType</DetailedLogInformation>
</ELLogInputMessage>
Your current regex will match events that contain either
REGEX=<LogEventTypeCode>PI_EVENT</LogEventTypeCode>[\s\S]*<BusinessDomainId\>(BusinessDomainId1|BusinessDomainId2|BusinessDomainId3)\</BusinessDomainId\>
FORMAT=$1-sec
Your current regex will match events that contain either
REGEX=<LogEventTypeCode>PI_EVENT</LogEventTypeCode>[\s\S]*<BusinessDomainId\>(BusinessDomainId1|BusinessDomainId2|BusinessDomainId3)\</BusinessDomainId\>
FORMAT=$1-sec